Summary: A combination of poor security policies on behalf of Twitter and users with easily crack-able passwords has led to Twitter users with desirable handles being vulnerable to their accounts being stolen. One Twitter user, Daniel Dennis Jones, with the handle “@blanket” recently had his account hijacked. After a brief investigation, he discovered it was being advertised for sale on a site called forumkorner. A link to a write-up by Jones is available within the article and details how he discovered that his account and others were being swapped around by teenagers. Hackers in this instance used programs that repeatedly attempted to login with commonly used passwords. Twitter did not respond to CNET for comment and many experts say that attacks like this are far too common for many internet sites and services. In the end, Jones was eventually able to get his handle back free of charge and is now much more conscious about the strength of his passwords.
Analysis: There are a myriad of problems here that have made these accounts vulnerable to hackers. The scariest part of this article seems to be the fact that the hack was so easily accomplished by teenagers. Programs that use brute force to login with common passwords are readily available to people that seek them. The article stated that unlike Gmail and some other websites, Twitter limited the amount log-in attempts by IP address rather than on an account basis. This vulnerability gave hackers the chance to make attempts using multiple IP addresses to use brute force to crack the accounts. These brute force programs used passwords that were common, highlighting the fact that many users have poorly constructed passwords to begin with.
The first thing that Twitter could do to mitigate the threat of these types of hacks is to implement a policy similar to Gmail’s. Account login attempts should be limited on an account basis rather than on an IP address basis, which would eliminate the threat of brute force attacks. Additionally, twitter could also employ a two-factor authentication system to beef up security. The use of a "CAPTCHA" may also be useful to ensure that a human is initiating all login attepts, rather than a brute force cracking program. Finally, Twitter should update its password policy to encourage users to create strong passwords for their accounts. As with the implementation of all security measures, Twitter must be careful that they do not increase security measures to such a degree that it frustrates or discourages their users.
A combination of poor security policies on behalf of Twitter and users with easily crack-able passwords has led to Twitter users with desirable handles being vulnerable to their accounts being stolen. One Twitter user, Daniel Dennis Jones, with the handle “@blanket” recently had his account hijacked. After a brief investigation, he discovered it was being advertised for sale on a site called forumkorner. A link to a write-up by Jones is available within the article and details how he discovered that his account and others were being swapped around by teenagers. Hackers in this instance used programs that repeatedly attempted to login with commonly used passwords. Twitter did not respond to CNET for comment and many experts say that attacks like this are far too common for many internet sites and services. In the end, Jones was eventually able to get his handle back free of charge and is now much more conscious about the strength of his passwords.
Analysis:
There are a myriad of problems here that have made these accounts vulnerable to hackers. The scariest part of this article seems to be the fact that the hack was so easily accomplished by teenagers. Programs that use brute force to login with common passwords are readily available to people that seek them. The article stated that unlike Gmail and some other websites, Twitter limited the amount log-in attempts by IP address rather than on an account basis. This vulnerability gave hackers the chance to make attempts using multiple IP addresses to use brute force to crack the accounts. These brute force programs used passwords that were common, highlighting the fact that many users have poorly constructed passwords to begin with.
The first thing that Twitter could do to mitigate the threat of these types of hacks is to implement a policy similar to Gmail’s. Account login attempts should be limited on an account basis rather than on an IP address basis, which would eliminate the threat of brute force attacks. Additionally, twitter could also employ a two-factor authentication system to beef up security. The use of a "CAPTCHA" may also be useful to ensure that a human is initiating all login attepts, rather than a brute force cracking program. Finally, Twitter should update its password policy to encourage users to create strong passwords for their accounts. As with the implementation of all security measures, Twitter must be careful that they do not increase security measures to such a degree that it frustrates or discourages their users.